Security at TigerLabel

Security and data protection are at the core of everything we do. We implement industry-leading security practices to protect your data and ensure platform reliability.

Report VulnerabilityContact Security Team

SOC 2 Type II

Certified

ISO 27001

Certified

GDPR

Compliant

HIPAA

Available

1Infrastructure Security

TigerLabel's infrastructure is built on Amazon Web Services (AWS), leveraging enterprise-grade security features and best practices for cloud architecture.

Cloud Infrastructure

  • AWS GovCloud and standard regions
  • Multi-AZ deployment for high availability
  • Auto-scaling based on demand
  • Regional data residency options

Network Security

  • Private VPC with isolated subnets
  • Web Application Firewall (WAF)
  • DDoS protection via AWS Shield
  • Network segmentation and ACLs

Encryption

  • TLS 1.3 for data in transit
  • AES-256 encryption at rest
  • AWS KMS for key management
  • Encrypted database backups

Data Storage

  • Encrypted S3 buckets with versioning
  • RDS with automated backups
  • Point-in-time recovery capabilities
  • Immutable backup storage

Infrastructure as Code

All infrastructure is managed as code using Terraform, enabling version control, peer review, and consistent deployments across environments. Infrastructure changes undergo automated security scanning before deployment.

2Application Security

We follow secure development practices throughout the software development lifecycle to prevent vulnerabilities and protect against common attack vectors.

2.1 Secure Development Lifecycle

1

Security by Design

Security requirements are defined at the design phase. All features undergo security review before implementation.

2

Code Review

All code changes require peer review with security considerations. Security-sensitive changes require additional security team review.

3

Automated Testing

Continuous integration includes SAST, dependency scanning, and security unit tests. No deployment without passing security checks.

4

Penetration Testing

Annual third-party penetration testing and continuous vulnerability assessments by independent security firms.

2.2 OWASP Top 10 Protection

We implement comprehensive protections against the OWASP Top 10 vulnerabilities:

Injection Protection

Parameterized queries, input validation, ORM usage

Authentication Security

MFA, password hashing (bcrypt), session management

Sensitive Data Exposure

Encryption at rest and in transit, secure key storage

XXE Protection

XML parsers configured to prevent entity expansion

Access Control

RBAC, principle of least privilege, authorization checks

Security Misconfiguration

Hardened configurations, minimal services, regular updates

XSS Protection

Content Security Policy, output encoding, React XSS prevention

Deserialization

Integrity checks, restricted deserialization contexts

Component Vulnerabilities

Automated dependency scanning, regular updates, SBOMs

Logging & Monitoring

Comprehensive audit logs, real-time alerting, SIEM integration

2.3 API Security

  • OAuth 2.0 and JWT-based authentication
  • Rate limiting and throttling to prevent abuse
  • Request validation and schema enforcement
  • API gateway for centralized security controls
  • Comprehensive API logging and monitoring

3Data Protection

Protecting your data is our highest priority. We implement multiple layers of security to ensure your data remains confidential, available, and tamper-proof.

Encryption

  • • TLS 1.3 for all data in transit
  • • AES-256 encryption for data at rest
  • • Field-level encryption for sensitive data
  • • Encrypted database connections
  • • Encrypted backups and snapshots

Access Controls

  • • Role-Based Access Control (RBAC)
  • • Principle of least privilege
  • • Multi-factor authentication (MFA)
  • • SSO integration (SAML, OAuth)
  • • Session timeout and management

Data Isolation

  • • Logical data separation per customer
  • • Isolated execution environments
  • • Network segmentation
  • • Private dedicated instances (Enterprise)
  • • Regional data residency options

Monitoring & Auditing

  • • Comprehensive audit logs
  • • Real-time security monitoring
  • • Anomaly detection and alerting
  • • User activity tracking
  • • Tamper-proof log storage

3.1 Backup and Disaster Recovery

  • Automated Backups

    Continuous backups with point-in-time recovery up to 35 days

  • Geographic Redundancy

    Backups replicated across multiple AWS regions

  • Disaster Recovery

    RTO of 4 hours, RPO of 1 hour for critical systems

  • Regular Testing

    Quarterly disaster recovery drills and backup restoration tests

3.2 Data Retention and Deletion

We follow strict data retention policies and provide secure data deletion capabilities:

  • • Customer-controlled data retention periods
  • • Secure data deletion upon request
  • • Cryptographic erasure for secure deletion
  • • 30-day grace period for data export after account deletion
  • • Compliance with data protection regulations (GDPR, CCPA)

4Compliance & Certifications

TigerLabel maintains compliance with industry standards and regulations to ensure the highest level of security and data protection.

SOC 2 Type II

Certified

Annual audit of security, availability, and confidentiality controls

ISO 27001

Certified

International standard for information security management

GDPR

Compliant

Full compliance with EU data protection regulations

HIPAA

Available

BAA available for healthcare customers processing PHI

Download Compliance Documents

SOC 2 Type II Report (requires NDA)ISO 27001 CertificateGDPR Data Processing Agreement (DPA)HIPAA Business Associate Agreement (BAA)

4.1 Additional Compliance

CCPA / CPRA

California Consumer Privacy Act compliance with data subject rights support

PCI DSS Level 1

Payment processing through PCI-compliant provider (Stripe)

Privacy Shield

Standard Contractual Clauses for EU-US data transfers

FERPA

Support for educational institutions with FERPA requirements

5Incident Response

We maintain a comprehensive incident response plan to quickly identify, contain, and remediate security incidents while minimizing impact to our customers.

Incident Response Process

1

Detection

24/7 monitoring and alerting systems detect potential security incidents in real-time

2

Triage & Classification

Incident response team assesses severity and determines appropriate response

3

Containment

Immediate actions taken to contain the incident and prevent further damage

4

Investigation

Forensic analysis to understand scope, root cause, and affected systems

5

Remediation

Implement fixes, patches, and security improvements to address vulnerabilities

6

Communication

Notify affected customers within 72 hours in accordance with breach notification laws

7

Post-Incident Review

Conduct lessons learned session and update procedures to prevent recurrence

Customer Notification

In the event of a security incident that may affect your data, we will notify you promptly via email and through our status page. We provide transparent communication about the nature of the incident, affected systems, and remediation steps.

6Security Certifications

Our security program is validated by independent third-party auditors and security firms. We maintain industry-recognized certifications and undergo regular assessments.

Annual Security Assessments

  • SOC 2 Type II Audit

    Annual audit by independent CPA firm covering security, availability, and confidentiality

  • Penetration Testing

    Annual penetration testing by independent security firms (application and infrastructure)

  • Vulnerability Assessments

    Quarterly vulnerability scanning and continuous security monitoring

  • Code Security Review

    Continuous SAST/DAST scanning and manual security code reviews

7Responsible Disclosure Program

We welcome security researchers to help us keep TigerLabel secure. If you discover a security vulnerability, please report it to us responsibly.

How to Report a Vulnerability

Email

security@tigerlabel.com

We will respond within 24 hours to acknowledge receipt

What to Include

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and severity assessment
  • Your contact information for follow-up
  • Screenshots or proof-of-concept code (if applicable)

Our Commitment

  • We will respond to your report within 24 hours
  • We will provide regular updates on our progress
  • We will not take legal action against good-faith security researchers
  • We will credit you for your discovery (if desired)
  • We offer monetary rewards for significant vulnerabilities

Responsible Disclosure Guidelines

To qualify for protection under our program:

  • • Do not access or modify customer data
  • • Do not perform denial of service attacks
  • • Do not use social engineering or phishing
  • • Give us reasonable time to address the issue before public disclosure (90 days)
  • • Do not violate any laws or regulations

8Contact Security Team

For security-related inquiries, vulnerability reports, or to request security documentation, please contact our security team.

Security Team

General Inquiries

security@tigerlabel.com

Vulnerability Reports

security@tigerlabel.com

Enterprise Security

For enterprise customers requiring additional security documentation, custom security assessments, or compliance support.

enterprise@tigerlabel.com

Security Updates

Subscribe to security advisories and updates:

status.tigerlabel.com